e472915725751e2ff9b6e8543e3fff1712e71d5b3c6d5653d0bd552be72a52a1

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
17/06/2024, 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e472915725751e2ff9b6e8543e3fff1712e71d5b3c6d5653d0bd552be72a52a1.exe
Size

114KB
MD5

f46d782a83335b05c178404fd5ec0273
SHA1

7a5093765410935eedbaa7b49ad4782f41367305
SHA256

e472915725751e2ff9b6e8543e3fff1712e71d5b3c6d5653d0bd552be72a52a1
SHA512

25827c3b543da6b07ce85b811bf4cb6fa05aa7b7ea4a386374702aa2225284c5cf10e04dfcbc0f6d8d0cacab57e7bcf883ecaffeeabcf7046a5ecd8c87e72786
SSDEEP

768:3x/5inm+cd5rHemPXKqUEphjVuvios1rPr4adL0NqlJMU6wiK1rEKlcIQ1TTGfou:3xRsvcdCQjosnvnZ6grfQ1b4J

Score

9^/10

upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 5 IoCs

resource	yara_rule
behavioral1/memory/2436-0-0x0000000000400000-0x000000000044C000-memory.dmp	UPX
behavioral1/memory/2436-7-0x0000000004B80000-0x0000000004BCC000-memory.dmp	UPX
behavioral1/files/0x0038000000014349-5.dat	UPX
behavioral1/memory/2436-13-0x0000000000400000-0x000000000044C000-memory.dmp	UPX
behavioral1/memory/2352-14-0x0000000000400000-0x000000000044C000-memory.dmp	UPX

Executes dropped EXE 1 IoCs

pid	Process
2352	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
2436	e472915725751e2ff9b6e8543e3fff1712e71d5b3c6d5653d0bd552be72a52a1.exe
2436	e472915725751e2ff9b6e8543e3fff1712e71d5b3c6d5653d0bd552be72a52a1.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2436-0-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2436-7-0x0000000004B80000-0x0000000004BCC000-memory.dmp	upx
behavioral1/files/0x0038000000014349-5.dat	upx
behavioral1/memory/2436-13-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2352-14-0x0000000000400000-0x000000000044C000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\jre-09\bin\jusched.exe	e472915725751e2ff9b6e8543e3fff1712e71d5b3c6d5653d0bd552be72a52a1.exe
File opened for modification	C:\Program Files (x86)\Java\jre-09\bin\jusched.exe	e472915725751e2ff9b6e8543e3fff1712e71d5b3c6d5653d0bd552be72a52a1.exe
File created	C:\Program Files (x86)\Java\jre-09\bin\UF	e472915725751e2ff9b6e8543e3fff1712e71d5b3c6d5653d0bd552be72a52a1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2352	2436	e472915725751e2ff9b6e8543e3fff1712e71d5b3c6d5653d0bd552be72a52a1.exe	28
PID 2436 wrote to memory of 2352	2436	e472915725751e2ff9b6e8543e3fff1712e71d5b3c6d5653d0bd552be72a52a1.exe	28
PID 2436 wrote to memory of 2352	2436	e472915725751e2ff9b6e8543e3fff1712e71d5b3c6d5653d0bd552be72a52a1.exe	28
PID 2436 wrote to memory of 2352	2436	e472915725751e2ff9b6e8543e3fff1712e71d5b3c6d5653d0bd552be72a52a1.exe	28

C:\Users\Admin\AppData\Local\Temp\e472915725751e2ff9b6e8543e3fff1712e71d5b3c6d5653d0bd552be72a52a1.exe
"C:\Users\Admin\AppData\Local\Temp\e472915725751e2ff9b6e8543e3fff1712e71d5b3c6d5653d0bd552be72a52a1.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
  "C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Java\jre-09\bin\jusched.exe

Filesize
114KB

MD5
b827854f0c996bffe530c6e589e070bb

SHA1
4df809300e48dc1e1900c39ca43791bb6b2deb56

SHA256
9b1e0b08a0807b80ad404d42a944483dac92ea86a1a2c91c0f03d08dcbde68dd

SHA512
00acd4ad0a10f7473133dbb9ad0c4dc7c61a927aa1c9d082d465000a48c9cc4d4ea95671198b9d1bf15a1eb747c6245f85acd4a033f5fd9ce034043bf3c6ea48

Download Submit
memory/2352-14-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2436-0-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2436-7-0x0000000004B80000-0x0000000004BCC000-memory.dmp

Filesize
304KB

Download
memory/2436-13-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download